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(57) A client workstation provides a login address 
as an anonymous ftp (file transfer protocol) 
request, and a password as a user's e-mail 
address. A destination server compares the 
user's e-mail address provided as a password to 
a list of authorized users' addresses. If the 
user's e-mail address is located on the list of 
authorized users' addresses maintained by the 
destination server, the destination server gener- 
ates a random number (X), and encrypts the 
random number in an ASCII representation us- 
ing encryption techniques provided by the Inter- 
net Privacy Enhanced Mail (PEM) procedures. 
The encrypted random number is stored in a file 
as the user's anonymous directory. The server 
further establishes the encrypted random num- 
ber as one-time password for the user. The 
client workstation initiates an ftp request to 
obtain the encrypted PEM random number as a 
file transfer (ftp) request from the destination 
server. The destination server then sends the 
PEM encrypted password random number, as 
an ftp file, over the Internet to the client works- 
tation. The client workstation decrypts the PEM 
encrypted file utilizing the user's private RSA 
key, in accordance with established PEM dec- 
ryption techniques. The client workstation then 
provides the destination server with the decryp- 
ted random number password, which is sent in 
the clear over the Internet, to login to the 
destination server. Upon receipt of the decryp- 
ted random number password, the destination 
server permits the user to login to the anony- 
mous directory, thereby completing the user 
authentication procedure and accomplishing 
login. 
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BACKGROUND OF THE INVENTION 

1. Field of the Invention : 

The present invention relates to methods and ap- 
paratus for providing remote user authentication in a 
public network. More particularly, the present inven- 
tion provides methods and apparatus for remote au- 
thentication using a one-time password scheme hav- 
ing a secure out-of-band channel for initial password 
delivery. 

2. Art Background : 

Over the past few years, the networking of com- 
puters for electronic mail ("e-mail") communication 
and data transfer has grown from simple local area 
networks to a global network referred to as the "Inter- 
net". The Internet comprises a spiderweb of networks 
which criss-cross the globe and permit users to send 
and receive e-mail messages, transfer data and ac- 
cess remote data bases between computers coupled 
to servers. In addition to fixed positions on the Inter- 
net, computer systems, such as for example, lap top 
computers, may be physically moved from one loca- 
tion on the network to another. Wireless links cou- 
pling the computers to the Internet, such as direct sat- 
ellite links, also permit users to access the Internet 
from remote areas. 

As the number of users on the Internet has 
grown, so have concerns regarding network security. 
Many businesses and government organizations util- 
ize the Internet for the transfer of business informa- 
tion, government project data and other information 
which may be considered confidential. Due to the size 
and complexity of the Internet, the opportunity for an 
intruder to intercept messages and gain access to 
confidential information has become a significant 
concern. The Internet community has established 
message encryption and authentication procedures 
for Internet electronic mail. These encryption and au- 
thentication procedures are known as privacy en- 
hanced mail (PEM). The PEM protocol establishes 
procedures to provide for enhanced privacy in e-mail 
services over the Internet. The PEM protocol is in- 
tended to be compatible with a wide range of key man- 
agement approaches including symmetric (secret 
key) and asymmetric (public key) approaches for the 
encryption of data encrypting keys. Privacy en- 
hanced mail services assure message integrity, and 
are offered through the use of end-to-end cryptogra- 
phy between originator and recipient processes at or 
above the user level. No special processing require- 
ments are imposed on the message transfer system 
at endpoints, or at intermediate relay sites on the In- 
ternet. The reader is referred to the PEM RFC docu- 
ments filed concurrent with the application on which 
this patent is based, and incorporated herein by ref- 



erence, entitled: "Privacy Enhancement for Internet 
Electronic Mail", Parts l-IV, RFCS 1421-1424, avail- 
able on the Internet at /home/internet/rfcs on files 
rfc1421-rfc1424 (hereinafter at times referred to as 

5 "PEM Protocols"). 

However, although privacy enhanced mail ser- 
vice is available on the Internet, all current applica- 
tions on the Internet (commonly referred to as "leg- 
acy" applications), such as Telnet, File Transfer Pro- 

10 tocol ("ftp"), and the like, use simple authentication 
having reusable passwords. Although it is generally 
understood that strong authentication using crypto- 
techniques would provide enhanced password secur- 
ity on the Internet, retrofitting the existing installed 

15 base of network applications with such a strong au- 
thentication mechanism would take some period of 
time. In the interim, an intruder can monitor the net- 
work and intercept passwords transmitted over the 
Internet. Since all passwords are currently transmit- 

20 ted from user to a remote server in unencrypted 
("clear") form, Internet users are vulnerable to an in- 
truder determining their password, and later logging 
on to a server utilizing the stolen password of a legit- 
imate user. In fact, there have been cases where in- 

25 truders have tapped the Internet at well known public 
sites and have accumulated literally thousands of le- 
gitimate valid passwords. Thus, the Internet must be 
viewed as a large insecure channel in which pass- 
words are transmitted in the clear, and may be ac- 

30 quired by unauthorized parties. 

As will be described, the present invention pro- 
vides methods and apparatus to permit an Internet 
user to acquire a password which is good for only a 
one time use. Through the use of the existing privacy 

35 enhanced mail system on the Internet, the present in- 
vention ensures that only the legitimate user can gain 
access to the password. Moreover, as will be descri- 
bed, the present invention does not require the retro- 
fitting of existing applications and computers with a 

40 strong authentication mechanism. 

Summary of the Invention 

The present invention provides an improved 
45 method and apparatus for user authentication in a 
network environment between a client computer 
("workstation") and a remote destination server cou- 
pled to a network. A user operating the client worksta- 
tion provides a login address as an anonymous ftp 
so (file transfer protocol) request, and a password as the 
user's e-mail address. The destination server com- 
pares the user's e-mail address provided as a pass- 
word to a list of authorized users' addresses. If the 
user e-mail address provided is not on the destination 
55 server's list of authorized user addresses, then the 
user login request is automatically denied. If the 
user's e-mail address is located on the list of autho- 
rized users' addresses maintained by the destination 



3 



3 



EP0 686 905 A1 



4 



server, the destination server generates a random 
number (X), and encrypts the random number in an 
ASCII representation using encryption techniques 
provided by the Internet Privacy Enhanced Mail 
(PEM) message and encryption authentication pro- 
cedures. The encrypted random number is stored in 
a file as the user's anonymous directory. The server 
further establishes the encrypted ASCII representa- 
tion of the random number as one-time password for 
the user. The client workstation initiates an ftp re- 
quest to obtain the encrypted PEM random number 
as a file transfer (ftp) request from the destination 
server. The destination server then sends the PEM 
encrypted password random number, as an ftp file, 
over the Internet to the client workstation. The client 
workstation decrypts the PEM encrypted file utilizing 
the user's private RSAkey, in accordance with estab- 
lished PEM decryption techniques. The client work- 
station then provides the destination server with the 
decrypted random number password, which is sent in 
the clear over the Internet, to login to the destination 
server. Upon receipt of the decrypted random number 
password, the destination server permits the user to 
login to the anonymous directory, thereby completing 
the user authentication procedure and accomplishing 
login. The destination server removes the random 
number password from its anonymous directory, 
such that any future login attempts requires a new 
random number password. Additionally, the destina- 
tion serverdeems the random number password valid 
only for a predetermined time period (t), such that any 
delay beyond the time period (t) in accomplishing the 
login by the client workstation results in a timeout, 
and invalidation of the random number password. In 
the event of a timeout, the user must obtain a new ran- 
dom number password from the destination server in 
accordance with the method of the present invention. 

Brief Description of the Drawings 

Figure 1 illustrates a work station used to com- 
municate with other workstations over a network and 
incorporating the teachings of the present invention. 

Figure 2 conceptually illustrates the Internet net- 
work. 

Figure 3 is a flow chart illustrating the sequence 
of steps executed by a user's workstation of the type 
illustrated in Figure 1. 

Figure 4 is a flow chart illustrating the sequence 
of steps for the present invention's privacy enhanced 
mail based user authentication system, executed by 
a server data processing device. 

Figure 5 is a diagrammatical illustration of the 
data paths utilized by the present invention for provid- 
ing an encrypted password using privacy enhanced 
mail, and the use of the decrypted password sent 
over the Internet in accordance with the teachings of 
the present invention to accomplish login. 



Notation and Nomenclature 

The detailed descriptions which follow are pre- 
sented largely in terms of symbolic representations of 

5 operations of data processing devices coupled to a 
network. These process descriptions and representa- 
tions are the means used by those skilled in the data 
processing arts to most effectively convey the sub- 
stance of their work to others skilled in the art. 

10 An algorithm is here, and generally, conceived to 

be a self-consistent sequence of steps leading to a 
desired result. These steps are those requiring phys- 
ical manipulations of physical quantities. Usually, 
though not necessarily, these quantities may take the 

15 form of electrical or magnetic signals capable of being 
stored, transferred, combined, compared, displayed 
and otherwise manipulated. It proves convenient at 
times, principally for reasons of common usage, to re- 
fer to these signals as bits, values, elements, sym- 

20 bols, operations, messages, terms, numbers, or the 
like. It should be borne in mind, however, that all of 
these similar terms are to be associated with the ap- 
propriate physical quantities and are merely conve- 
nient labels applied to these quantities. 

25 In the present invention, the operations referred 

to are machine operations. Useful machines for per- 
forming the operations of the present invention in- 
clude general purpose digital computers (referred 
herein as "workstations"), or other similar devices. In 

30 all cases, the reader is advised to keep in mind the 
distinction between the method operations of operat- 
ing a computer and the method of computation itself. 
The present invention relates to method steps for op- 
erating a computer, coupled to a series of networks, 

35 and processing electrical or other physical signals to 
generate other desired physical signals. 

The present invention also relates to apparatus 
for performing these operations. This apparatus may 
be specially constructed for the required purposes or 

40 it may comprise a general purpose computer selec- 
tively activated or reconfigured by a computer pro- 
gram stored in the computer. The method/process 
steps presented herein are not inherently related to 
any particular computer or other apparatus. Various 

45 general purpose machines may be used with pro- 
grams in accordance with the teachings herein, or it 
may prove more convenient to construct specialized 
apparatus to perform the required method steps. The 
required structure for a variety of these machines will 

so be apparent from the description given below. 

Detailed Description of the Invention 

In the following description, numerous details are 
55 set forth such as workstation system configurations, 
representative messages, servers, etc., to provide a 
thorough understanding of the present invention. 
However, it will be apparent to one skilled in the art 
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that the present invention may be practiced without 
these specific details. In other instances, well known 
circuits and structures are not described in detail in 
order to not obscure the present invention. Moreover, 
certain terms such as "knows", "sends", "receives", 
"verifies", "examines", "finds", "determines", "authen- 
ticates", etc., are used in this Specification and are 
considered to be terms of art. The use of these terms, 
which to a casual reader may be considered person- 
ifications of computer or electronic systems, refers, 
for si mpl icity , to the f u notions of the system as having 
human-like attributes. For example, a reference here- 
in to an electronic system as "determining" something 
is simply a shorthand method of describing that the 
electronic system has been programmed or other- 
wise modified in accordance with the teachings here- 
in. The reader is cautioned not to confuse the func- 
tions described with everyday human attributes. 
These functions are machine functions in every 
sense. 

Figure 1 illustrates a data processing system 
(hereinafter a "workstation") in accordance with the 
teachings of the present invention. The workstation 
includes a computer 10 which comprises three major 
components. The first of these is an input/output (I/O) 
circuit 12 which is used to communicate information 
in appropriately structured form to and from other 
portions of the computer 10. In addition, computer 10 
includes a central processing unit (CPU) 13 coupled 
to the I/O circuit 1 2 and a memory 1 4. These elements 
are those typically found in most general purpose 
computers and, in fact, computer 10 is intended to be 
representative of a broad category of data processing 
devices. Also shown in Figure 1 is a keyboard 15 to 
input data and commands into computer 10, as is well 
known. A network interface circuit 17 is also coupled 
to the computer 1 0 through I/O circuit 12, to permit the 
computer 10 to communicate with other workstations 
and servers over a network, such as for example, the 
Internet. A raster display monitor 1 6 is shown coupled 
to the I/O circuit 1 2 and is used to display images gen- 
erated by CPU 13 in accordance with the present in- 
vention. Any well known variety of cathode ray tube 
(CRT) or other type of display may be utilized as dis- 
play 16. 

Referring now to Figure 2, the Internet may be 
conceptually described as an open network generally 
referred to in the figure by the numeral 20, to which 
numerous servers 22, 24, 26 and 28 are coupled. 
Each of the respective servers is coupled to worksta- 
tions 29, 31, 33 and 35, as shown. It will be appreci- 
ated that Figure 2 is described for illustration purpos- 
es only, and that in reality the Internet includes many 
tens of thousands of servers and work stations. Ad- 
ditionally, although the Internet is illustrated in Figure 
2 as a single network, it will be appreciated that the 
Internet is actually a series of networks forming a spi- 
derweb-like topology spanning virtually every conti- 



nent in the world. As is well known, a user operating 
a workstation in, for example, Singapore, may send 
messages, access data and databases and execute 
a variety of functions over the Internet to, for exam- 
5 pie, a workstation located in Mountain View, Califor- 
nia. 

In the operation of many networks, and in partic- 
ular, the Internet, a user operating for example work- 
station 29, referred to as the "client workstation", may 

10 wish to access a workstation 33 which, as illustrated, 
is coupled to the server 26. The server 26 is referred 
to in the industry as the "destination server" and the 
combination of client workstation 29 and server 26 is 
known as the "client-server". Generally, in order for 

15 client workstation 29 to access destination server 26 
and data which may be disposed at the server 26, or 
alternatively, at a workstation 33, it is necessary for 
the client workstation 29 to provide a password to the 
server 26. However, as previously noted, passwords 

20 are sent over the Internet 20 in "the clear" thereby giv- 
ing intruders access to unencrypted passwords. Ad- 
ditionally, passwords are relatively easy to guess giv- 
en a sufficiently powerful workstation eavesdropping 
at a node on the Internet. Once an unencrypted pass- 

25 word has been captured by an intruder the intruder 
may then access the network devices as an autho- 
rized user. Thus, the sending of passwords in the 
clear over the Internet provides an opportunity for a 
would be intruder to gain access to an authorized 

30 user's password, and thereby compromises network 
security. 

In accordance with the teachings of the present 
invention, assume for sake of example, that a client 
workstation 29 desires to access a destination server 

35 26 coupled to the Internet 20. In order to access the 
destination server 26 it is necessary for the client 
workstation 29 to login on the server 26. The login by 
the client workstation 29 to server 26 is an authenti- 
cated login in accordance with the teachings of the in- 

40 vention. Traditionally, the client workstation 29 would 
simply provide a password to the destination server 
26 in the clear over the Internet 20. However, for the 
reasons previously described, the sending of a pass- 
word in the clear compromises network security and 

45 provides an unacceptable opportunity for intrusion by 
third parties. One of the characteristics of the present 
invention is that its methodology operates in conjunc- 
tion with existing network applications. As previously 
described, one of the existing network applications 

so on the Internet is privacy enhancement for Internet 
electronic mail (PEM). Each of the servers (in Figure 
1 servers 22, 24, 26 and 28) coupled to the Internet 
20 includes PEM, as does each of the workstations 
29, 31, 33 and 35. Generally, PEM is designed to re- 

55 ceive a user name (e-mail address) and to fetch its 
corresponding public key certificate. In general, PEM 
provides public key cryptography for electronic mail 
messages, and security for the mail message itself, 
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as opposed to the authentication of an authorized 
user. The detailed operation of privacy enhanced mail 
will not be described in this Specification, since it is 
well established and currently functioning on the In- 
ternet. The reader is referred to the Internet docu- 
ments, incorporated by reference herein, entitled 
"Privacy Enhancement for Internet Electronic Mail", 
parts l-IV, (RFC 14.21 workstation 40 electronic mail 
name to its list of authorized users. If the user's elec- 
tronic mail name (in the present example, client work- 
station 40) is not on the list of authorized users, the 
client login request is rejected. 

If the identified user is on the list of authorized 
users, then, as illustrated in Figure 4, the destination 
server 42 generates a random number (X) which will 
be used as a one-time password. An ASCII represen- 
tation of the random number is encrypted using the 
PEM algorithm, and is placed in a file in the user's 
anonymous directory using PEM encrypted message 
procedures. As shown in Figure 4, the destination 
server 42 establishes the encrypted ASCII represen- 
tation of the random number X as the one-time pass- 
word for the user. 

It will be appreciated that the encrypted random 
number password is addressed only to the user oper- 
ating workstation 40. Only the authorized user oper- 
ating workstation 40 can decrypt the encrypted ran- 
dom number password. As illustrated in the flowchart 
of Figure 3, the client workstation 40 does an ftp to 
obtain the encrypted PEM random number password 
from the destination server 42. The destination ser- 
ver 42 sends the encrypted PEM random number 
password to the workstation 40 over the Internet 20. 
Although an intruder can detect the encrypted ran- 
dom number password over the Internet 20, only the 
authorized user of workstation 40 can decrypt the 
random number password in accordance with the 
teachings of PEM. The workstation 40, using the PEM 
decryption methodology, decrypts the encrypted 
PEM file using the PEM users private RSAkey. 

The reader is referred to the document, incorpo- 
rated by reference herein, by Fahn, "Answers to Fre- 
quently Asked Questions about Today's Cryptogra- 
phy" (RSA Laboratories, 1992), submitted concurrent 
with the filing of the application on which this patent 
is based, and other references submitted, for a de- 
tailed description of RSA technology. Since the RSA 
technology is well known, it will not be described fur- 
ther herein. 

As shown in the flowchart of Figure 3, once the 
PEM encrypted random number password is decrypt- 
ed by the client workstation 40 using its private key, 
the decrypted password is then supplied over the In- 
ternet 20 to the destination server 42 for login. For the 
actual login by the client workstation 40 to the destin- 
ation server 42, the decrypted random number pass- 
word is sent in the clear over the Internet 20 along 
with the user's e-mail address name. 



As shown in Figure 4, the destination server 42 
permits the user to login to the anonymous directory 
utilizing the one-time random number password with- 
in a predetermined time (t). Providing a predeter- 

5 mined time window in which to permit the client work- 
station 40 to login to the destination server 42, pro- 
vides additional security. In the event the time period 
(t) expires without the workstation 40 logging into the 
destination server 42 utilizing the decrypted random 

10 number password, then a time out occurs and the ran- 
dom number password is deemed invalid. In such 
event, it is necessary for the user operating the client 
workstation 40 to acquire a new random number 
password utilizing the teachings described in this 

15 Specification with reference to Figures 3 and 4. As- 
suming that the user provides the decrypted random 
number password to the destination server 42 within 
the time interval (t), the destination server 42 permits 
the login and the user authentication process is com- 

20 pleted. The destination server 42 then removes the 
random numberX as a password for the user, thereby 
requiring any future logins by the workstation 40 to 
first obtain a new random number password. Thus, 
each login between a client and a server over the In- 

25 ternet requires a new password. 

It will be appreciated that since the decrypted 
random number password provided by the client 
workstation 40 to the destination server 42 over the 
Internet 20 is sent in the clear, an intruder can detect 

30 this password during the login process. However, 
since the server 42 invalidates or removes the ran- 
dom number password after each successful login, or 
alternatively, after the time out of the interval (t), net- 
work security is not compromised. Even assuming an 

35 intruder intercepts the decrypted random number 
password over Internet 20, it is of no use to the intrud- 
er since it is only valid for a single login, and the login 
must occur during the predetermined time (t). 

Accordingly, a system and method for user au- 

40 thentication in a public network is disclosed. While 
the present invention has been described in conjunc- 
tion with a few specific embodiments identified in 
Figures 1-5, it will be apparent to those skilled in the 
art that many alternatives, modifications and varia- 

45 tions in light of the foregoing description are possible. 
For example, although the present invention has 
been described with reference to user authentication 
in the Internet environment, it will be appreciated that 
the teachings of the present invention may be applied 

so to any public or private network topology. 

Claims 

55 1 . A method for user authentication between a first 
computer and a second computer, comprising the 
steps of: 

providing an element for performing the 



6 



9 



EP0 686 905 A1 



10 



step of said first computer providing a first re- 
quest to said second computer, said first request 
including a user identification code identifying a 
user of said first computer; 

providing an element for performing the 
step of said second computer receiving said first 
request and determining if said user identifica- 
tion code of said user is authorized, such that if 
said user identification code is authorized said 
second computer: 

generates a first random number; 
stores said first random number as 
a one time password; 

encrypts said first random number 
used as said one time password; 

providing an element for performing the 
step of said second computer providing said en- 
crypted one time password to said first computer; 

providing an element for performing the 



word within said time (t) from said first computer, 
said first random number is invalidated as said 
one time password by said second computer and 
is unusable. 

5. The method as defined by Claim 4 wherein any 
subsequent authentication of said user requires 
the generation of a new random number to be 
used as said one time password. 

6. The method as defined by Claim 5 wherein said 
second computer encrypts said first random 
number using PEM encryption. 



7. The method as defined by Claim 6 wherein said 
first computer decrypts said one time password 
using PEM decryption. 

5 8. The method as defined by Claim 7 wherein said 
network comprises the Internet. 

9. The method as defined by Claim 8 wherein said 
first request further includes an anonymous ftp 

10 request as a login. 

10. The method as defined by Claim 9 wherein said 
second request comprises an anonymous ftp re- 
quest to obtain said encrypted one time pass- 

15 word from said second computer. 

11. A system for user authentication between a first 
computer and a second computer, comprising: 

a receiving element coupled to said first 
computer for providing a first request to said sec- 
ond computer, said first request including a user 
identification code identifying a user of said first 
computer; 

an element coupled to said second com- 
puter for receiving said first request and deter- 
mining if said user identification code of said user 
is authorized, such that if said user identification 
code is authorized said second computer: 

generates a first random number; 
stores said first random number as 
a one time password; 

encrypts said first random number 
used as said one time password; 

said second computer including a trans- 
mission element for providing said encrypted one 
time password to said first computer; 

said first computer including a decrypting 
element for decrypting said one time password 
and providing said decrypted one time password 
to said second computer; 

said second computer comparing said re- 
ceived decrypted one time password to said stor- 
ed one time password, such that if said received 
and stored one time passwords match said user 
is authenticated. 

12. The system as defined by Claim 11 wherein said 
first computer provides a second request to said 
second computer to obtain said encrypted one 

so time password, said second computer upon re- 

ceipt of said second request provides said en- 
crypted one time password to said first computer. 

13. The system as defined by Claim 12 wherein said 
55 first and second computers are coupled for com- 
munication between each other over a network. 

14. The system as defined by Claim 13 wherein said 



step of said first computer decrypting said one 20 
time password and providing said decrypted one 
time password to said second computer; 

providing an element for performing the 
step of said second computer comparing said re- 
ceived decrypted one time password to said stor- 25 
ed one time password, such that if said received 
and stored one time passwords match said user 
is authenticated. 

2. The method as defined by Claim 1 wherein said 30 
first computer provides a second request to said 
second computer to obtain said encrypted one 
time password, said second computer upon re- 
ceipt of said second request provides said en- 
crypted one time password to said first computer. 35 

3. The method as defined by Claim 2 wherein said 
first and second computers are coupled for com- 
munication with one another over a network. 

40 

4. The method as defined by Claim 3 wherein said 
second computer stores said first random num- 
ber as said one time password for a predeter- 
mined time (t), such that if said second computer 
does not receive said decrypted one time pass- 45 
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second computer stores said first random num- 
ber as said one time password for a predeter- 
mined time (t), such that if said second computer 
does not receive said decrypted one time pass- 
word within said time (t) from said first computer, 5 
said first random number is invalidated as said 
one time password by said second computer and 
is unusable. 

15. The system as defined by Claim 14 wherein any 10 
subsequent authentication of said user requires 

the generation of a new random number to be 
used as said one time password. 

1 6. The system as defined by Claim 1 5 wherein said 15 
second computer encrypts said first random 
number using PEM encryption. 

17. The system as defined by Claim 16 wherein said 

first computer decrypts said one time password 20 
using PEM decryption. 

18. The system as defined by Claim 17 wherein said 
network comprises the Internet. 

25 

19. The system as defined by Claim 18 wherein said 
first request further includes an anonymous ftp 
request as a login. 

20. The system as defined by Claim 1 9 wherein said 30 
second request comprises an anonymous ftp re- 
quest to obtain said encrypted one time pass- 
word from said second computer. 
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